TRENDING

How to build an immune system for cybersecurity attacks

By William Jackson

Nov 08, 2012

This is the second in a three-part series on building a government cybersecurity ecosystem.

The Department of Homeland Security and the National Institutes of Standards and Technology are spearheading an effort to develop a self-healing cyber “ecosystem” across government and industry organizations that could automatically assess and respond to threats.

In this series

Could a cyber ecosystem defend itself?

A multiagency group hopes to create a cyber ecosystem that could learn to automatically assess and respond to threats. Where would humans fit in the loop? Read more.

How to build an immune system for cybersecurity

Government researchers are using the human immune system as a model for building a cybersecurity ecosystem, whose features would include automation, interoperability and authentication technologies. Read more.

Agencies outline future cyber ecosystems

Plans to develop an automated system for defending agencies from cyber attacks could look to existing agency projects, including the Energy Department’s Smart Grid and FAA’s Next Generation Air Transportation System, as models for self healing networks. Read more.

The agencies, which asked for input on the idea in a recent request for proposals, say the seriousness and the scale of today’s cyber threats make the idea of a self-defending network an idea whose time has come.

Yet the search for models for an “automated collective action” goes back a decade or more. Most recently, creating a healthy, secure cyber ecosystem was one of the two focus areas identified in the DHS Blueprint for a Secure Cyber Future, released in late 2011. The other was protection of the nation’s critical infrastructure.

It was written under the direction of Philip Reitinger, then DHS deputy under secretary for the National Protection and Programs Directorate who has since moved on to Sony Corp.

It envisions “a ‘healthy cyber ecosystem’ -- where cyber devices collaborate in near‐real time in their own defense.” In such a system, “power is distributed among participants, and near‐real time coordination is enabled by combining the innate and interoperable capabilities of individual devices with trusted information exchanges and shared, configurable policies.”

Such a system is not a perfect model, however. In humans, auto-immune diseases lead the immune system to attack the body it is supposed to protect, a situation that researchers and developers want to avoid in a secure cyber ecosystem.

The ecosystem would start where continuous monitoring for vulnerabilities is today, and the end state would advance to include automated responses, with broad-based threat and incident monitoring, data dissemination, threat analysis, intervention recommendations and coordination of preventive actions. The three building blocks identified in the Reitinger paper as necessary to enable such a system are:

Automation, which would enable the system and devices connected with it to respond at machine speeds based on conditions being monitored and data being gathered in near-real time.

Interoperability, which includes semantic elements such as standardized lexicons; technical interoperability between different brands and types of products and tools; and policy. Security management already is taking advantage of some of these elements; Security Content Automation Protocol (SCAP), for instance, is an example of semantic interoperability. The challenge is moving beyond management to operational security.

Authentication, which is necessary to provide the trust needed for information sharing and automation. “The paper looks to the emerging National Strategy for Trusted Identities in Cyberspace to build a shared foundation,” the executive summary said.

Tools embodying these elements would not have to be universally deployed to enable a secure ecosystem. “Some simulations indicate that about 30 to 35 percent of devices would need to cooperate in order for such a course of action to work,” the paper says. “These numbers are important, because they indicate that success is not dependent on the participation of all or even a majority of devices; therefore, large‐scale infrastructure modification is not required to make the ecosystem fundamentally more secure.”